Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.9.
DescriptionCVE.org
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.
AnalysisAI
Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.
Technical ContextAI
This vulnerability (CWE-15: External Control of System or Configuration Setting) affects the dotenv configuration loading mechanism in OpenClaw, an npm package for AI-assisted development workflows. The affected product (cpe:2.3:a:openclaw:openclaw) loads workspace-local .env files to set environment variables but failed to filter runtime-control variables before version 2026.4.9. The commit dbfcef319618158fa40b31cdac386ea34c392c0c introduces a comprehensive blocklist of 37 sensitive variable names and six prefix families (OPENCLAW_UPDATE_*, OPENCLAW_SKIP_*, OPENCLAW_DISABLE_*, OPENCLAW_CLAWHUB_*, CLAWHUB_*, ANTHROPIC_API_KEY_*) to prevent workspace .env files from hijacking application runtime behavior. The fix preserves user-defined environment variables (like GITHUB_TOKEN, DATABASE_URL_CUSTOM) while blocking variables controlling update mechanisms (OPENCLAW_UPDATE_PACKAGE_SPEC), network routing (OPENCLAW_GATEWAY_URL, CLAWHUB_URL), authentication tokens (CLAWHUB_TOKEN, CLAWHUB_AUTH_TOKEN), binary execution paths (BROWSER_EXECUTABLE_PATH, PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH), plugin catalog sources (OPENCLAW_PLUGIN_CATALOG_PATHS), and diagnostic controls (OPENCLAW_SHOW_SECRETS). The vulnerability exists because workspace .env files, intended for project-specific configuration, could override system-level security controls designed to protect the OpenClaw runtime environment.
RemediationAI
Upgrade the OpenClaw npm package to version 2026.4.9 or later, with 2026.4.14 recommended as the current stable release incorporating the fix. Execute 'npm update openclaw' or modify package.json to specify '"openclaw": "^2026.4.9"' and run 'npm install'. The fix is implemented in commit dbfcef319618158fa40b31cdac386ea34c392c0c and merged via pull request #62660, both linked in the GitHub advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc. The patch introduces a blocklist of 37 runtime-control variables and six prefix families to prevent workspace .env files from injecting sensitive configuration. If immediate upgrade is not feasible, implement compensating controls: (1) Restrict workspace .env file permissions to read-only for the OpenClaw process user to prevent runtime modification, though this does not block load-time injection; (2) Conduct manual code review of all .env files in cloned repositories before opening workspaces, searching for blocked variable names listed in the advisory (OPENCLAW_UPDATE_PACKAGE_SPEC, OPENCLAW_GATEWAY_URL, BROWSER_EXECUTABLE_PATH, CLAWHUB_TOKEN, etc.) - this is labor-intensive and error-prone; (3) Run OpenClaw in a sandboxed environment (container, VM) with network egress filtering to prevent gateway redirection and update source compromise, accepting the operational overhead of managing isolated development environments. These workarounds introduce significant friction to developer workflows and do not fully mitigate the vulnerability; upgrading to the patched version remains the only complete remediation.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27273